Why The World's Most Widely Used Messaging Apps Are Completely Insecure

Silicon Valley has often made product usability the priority over product security. Photo: Reuters

Some of the most popular messaging apps in use today don't meet basic standards to ensure the privacy of their users, according to an audit of these apps by the Electronic Frontier Foundation.

The EFF graded 39 different messaging services in seven respects. They looked at each one for its ability to encrypt data in transit, to encrypt it such that the provider can't read messages, for the user to verify contact identities, to remain secure if decryption keys are stolen, for the code to be open to independent review, for the security design to be properly documented, and for the code to have been independently audited.

The results are a bit surprising, especially among larger, name-brand apps. Consider WhatsApp, Facebook's $19 billion acquisition earlier this year and one of the most popular messaging apps in use today. All it can claim, per the EFF's findings, is that its data is encrypted en route to the recipient and that its code has been audited. The same is true for Facebook's own native chat product: It meets only two of the seven requirements. Anonymous gossip app Secret only encrypts messages en route and totally fails to check another box. Ditto for AOL's Instant Messenger, another mainstay in the messaging world.

These are products attached to big companies that can't meet the EFF's expectations for what should constitute a secure messaging system. Ostensibly, major tech companies should have the resources to throw at developing these kinds of systems, but this doesn't seem to be the case, according to the EFF.

"The main thing these companies can't get right is that they still hold the keys," said Nico Sell, CEO of anonymous messaging app Wickr. "Ideally you're using a different key for every single message that's generated on the device, but this isn't common. And the other thing to keep in mind is that these companies make money off of user information. Any company doing that isn't motivated to build a secure system. You should look at how people make their money. In Google's case, it uses perfect forward secrecy from device to server, so the NSA won't know what you're saying, but Google can."

Sell's Wickr meets four of the EFF's seven rubric items. "I believe there’s been more eyes on my app than any other in the world, and the most talented eyes at that," she said. "One of the steps I wish they had on there was anonymity. We’re one of the only ones that ensure user anonymity — it's rare and difficult to do. Other companies ought to consider metadata protection, because even with totally secure communication, people can tell who you’re talking to, when, and how often. We don’t have any metadata on our users."

Silent Circle, a firm that builds ultra-secure communication products, got a perfect score for its Silent Phone and Silent Text apps. In a joint venture with a hardware manufacturer called Geeksphone, the companies built Blackphone, a device that aims to be secure at the hardware level. "The core of what we believe focuses on the right of every individual around the world deserving the capability to have secure and private communications," said Daniel Ford, chief security officer of Blackphone. "With this in mind, we make it possible for our customers to choose what they want to share [and] for how long they want to share it, and the keys used to protect this information are always in control of our customers."

Sell rejects the oft-heard "I don't have anything to hide" response to privacy-related news. "You don't hear 'I have nothing to hide' in other countries," she said. "History is much closer to people in other countries."

Silicon Valley has often made product usability the priority over product security, but it "should really be possible to have both at once," said Pete Eckersley, technical projects director for the EFF. "It's only very recently that the big tech players have shown any interest in protecting people's messages against the company that makes the app itself. But the race is now on to see who can do that well, delivering both security and usability."

Eckersley said some big vendors are getting the message. "Of the established players, Apple seems to have an early lead with iMessage and FaceTime, but their offerings still don't meet all of our criteria and we expect tough competition from other big tech firms -- Google, Yahoo and WhatsApp have all said they are working on stronger messaging encryption. There are also a lot of new startups and open-source projects that have strong security designs, and if any of them can make their products really easy to install and use, we could see them have a big impact on the messaging landscape."

Until then, messaging app users should know that their communications are vulnerable to interception.

Watch for messaging apps to begin to focus on messaging and security in a brand-new way.